Abstract

There is a paradox associated with ensuring compliance, in particular in the area of data protection and innovations with respect to data-based services. Entrepreneurs need network effects, but at the same time, especially those who have just started their businesses, have the least amount of resources and opportunities to implement data protection mechanisms. The scale of the problem is shown by successive 2019 reports indicating that as many as 50% of of small businesses did not make any effort in order to prepare themselves to the requirements laid down by the GDPR. The main barrier is not only the shortage of resources, but also the lack of expertise, limited access to practical interpretational guidelines to understand the requirement, lack of consistency between the interpretation of regulations and actions of supervisory authorities in the EU, and finally problems with understanding what changes are to be effected in order to ensure compliance, in particular in the risk analysis area.At the stage of drafting the GDPR provisions, the issue of potential implementation challenges for micro, small and medium-sized enterprise had been identified though never fully taken care of in the final text. Although it had been stressed that the MSE’s perspective would be taken into consideration and the regulation had been drafted with the use of risk-based mechanisms allowing for taking into account the context of a given organisation upon implementation, it did not sufficiently resolve the practical problems of this category of enterprises. The efforts taken up by organisations and associations of micro, small and medium-sized enterprise as well as national personal data protection bodies, the European Data Protection Board and the European Commission are absolutely inadequate. Therefore, it is necessary to intensify efforts aimed at finding solutions which would increase the implementation of the regulations, which is analysed in this article.